Veracode Overview

What is Veracode?

Veracode covers all your Application Security needs in one solution through a combination of five analysis types; static analysis, dynamic analysis, software composition analysis, interactive application security testing, and penetration testing. Unlike on-premise solutions that are hard to scale and focused on finding rather than fixing, Veracode comprises a unique combination of SaaS technology and on-demand expertise that enables DevSecOps through integration with your pipeline, and empowers developers to find and fix security defects.

Veracode Buyer's Guide

Download the Veracode Buyer's Guide including reviews and more. Updated: July 2021

Veracode Customers

State of Missouri, Rekner

Veracode Video

Pricing Advice

What users are saying about Veracode pricing:
  • "For the value we get out of it, coupled with the live defect review sessions, we find it an effective value for the money. We are a larger organization."
  • "Veracode is expensive. Some of its products are expensive. I don't think it's way more expensive than its competitors. The dynamic is definitely worth it, as I think it's cheaper than the competitors. The static scan is a little bit more expensive, around 20 percent more expensive. The manual pen test is more expensive, but it is an expensive service because it's a manual pen test and we also do retests. I don't think it is way more expensive than the competitors, but it's about 15 to 20 percent more expensive."
  • "The pricing is really fair compared to a lot of other tools on the market."
  • "Veracode is one of the more expensive solutions in the market, but it is worth the expense because of the eLearning and the security consultations; everything is included in the license."
  • "It is very reasonably priced compared to what we were paying our previous vendor. For the same price, we are getting much more value and reducing our AppSec costs from 40 to 50 percent."
  • "If I compare the pricing with other software tools, then it is quite competitive. Whatever the price is, they have always given us a good discount."
  • "We use this product per project rather than per developer... Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive."

Filter Reviews

Filter by:
Filter Reviews
Industry
Loading...
Filter Unavailable
Company Size
Loading...
Filter Unavailable
Job Level
Loading...
Filter Unavailable
Rating
Loading...
Filter Unavailable
Considered
Loading...
Filter Unavailable
Order by:
Loading...
  • Date
  • Highest Rating
  • Lowest Rating
  • Review Length
Search:
Showingreviews based on the current filters. Reset all filters
reviewer1360617
Sr. Security Architect at a financial services firm with 10,001+ employees
Featured Review
Real User
Gave us much higher quality dynamic scanning with very few false positives and a robust static scanning solution

What is our primary use case?

We are using Dynamic Application Security Testing (DAST), Static Application Security Testing (SAST), and Static Component Analysis (SCA). We use different types of scanning across numerous applications. We also use Greenlight IDE integration. We are scanning external web applications, internal web applications, and mobile applications with various types/combinations of scanning. We use this both to improve our application security as well as achieve compliance with various compliance bodies that require code scanning.

Pros and Cons

  • "Veracode's cloud-based approach, coupled with the appliance that lets us use Veracode to scan internal-only web applications, has provided a seamless, always-up-to-date application security scanning solution."
  • "One feature I would like would be more selectivity in email alerts. While I like getting these, I would like to be able to be more granular in which ones I receive."

What other advice do I have?

Of all the tools vendors I have relationships with, Veracode is simply our best vendor in terms of partnership, value add, and support responsiveness.
ITCS user
Software Architect at Alfresco Software
Real User
Top 20
Prevents vulnerable code from going into production, but the user interface is dated and needs considerable work

What is our primary use case?

The use case is that we have quite a few projects on GitHub. As we are a consulting company, some of these projects are open source and others are enterprise and private. We do security investigating for these projects. We scan the repository for both the static analysis—to find things that might be dangerous—and we use the Software Composition Analysis as well. We get notifications when we are using some open source library that has a known vulnerability and we have to upgrade it. We can plan accordingly. We are using the software as a service.

Pros and Cons

  • "The solution's ability to prevent vulnerable code from going into production is perfectly fine. It delivers, at least for the reports that we have been checking on Java and JavaScript. It has reported things that were helpful."
  • "Veracode has plenty of data. The problem is the information on the dashboards of Veracode, as the user interface is not great. It's not immediately usable. Most of the time, the best way to use it is to just create issues and put them in JIRA... But if I were a startup, and only had products with a good user interface, I wouldn't use Veracode because the UI is very dated."
  • "Another problem we have is that, while it is integrated with single sign-on—we are using Okta—the user interface is not great. That's especially true for a permanent link of a report of a page. If you access it, it goes to the normal login page that has nothing that says "Log in with single sign-on," unlike other software as a service that we use. It's quite bothersome because it means that we have to go to the Okta dashboard, find the Veracode link, and log in through it. Only at that point can we go to the permanent link of the page we wanted to access."

What other advice do I have?

Usually, we open tickets now using the JIRA/GitHub integration and then we plan them. We decide when we want to fix them and we assign them to developers, mostly because there are some projects that are a little bit more on the legacy side. Changing the version of the library is not easy as in the newer projects, in terms of testing. So we do some planning. But in general, we open tickets and we plan them. We also have it integrated in the pipelines, but that's really just to report. It's a little bit annoying that the pipeline might break because of security issues. It's good to know, but the…
Karen Meohas
Information Assurance Manager at xMatters
Real User
Top 10
Centralized view shows the status of all scans, and if I want more information about something, it's one click away

What is our primary use case?

We have three use cases. We have the dynamic scans that we use to scan the production, public-facing URLs. We also use the static scan where we work with the Dev team and scan the code base for the web application and the mobile application on both iOS and Android. Our third use case is manual penetration tests, which my team manages. We do annual manual penetration tests. It's deployed to our platform infrastructure, which is in a public cloud.

Pros and Cons

  • "In terms of secure development, the SAST scan is very useful because we are able to identify security flaws in the code base itself, for the application."
  • "Their dashboard is really good, overall. In my opinion, it's one of the best in the market, and I say that because we have used other service providers."
  • "The feature that allows me to read which mitigation answer was submitted, and to approve it, requires me to use do so in different screens. That makes it a little bit more complicated because I have to read and then I have to go back and make sure it falls under the same number ID number. That part is a little bit complicated from my perspective, because that's what I use the most."

What other advice do I have?

I can give advice to other managers. If they are willing to properly manage, but they don't have the time or the bandwidth to actually operate, it's a very good tool. It's easy to get access to information and it's easy to understand what's going on with your application without much of a burden. You don't have to waste a lot of time trying to understand a complicated report. Everything is accessible. And the amount of information that Veracode gives based on the flaws is very straightforward and makes it easy for the Dev team to fix them. I would rate it at eight out of 10. The tool itself is…
Learn what your peers think about Veracode. Get advice and tips from experienced pros sharing their opinions. Updated: July 2021.
523,742 professionals have used our research since 2012.
SS
Head Of Information Security at a media company with 51-200 employees
Real User
Top 20
I used a lot of the findings to put pressure on our vendors to try to improve their security postures

What is our primary use case?

We use Veracode for static analysis of source code as well as some dynamic analysis.

Pros and Cons

  • "The most valuable features are that you can do static analysis and dynamic analysis on a scheduled basis and that you can push the findings into JIRA."
  • "The policies you have, where you can tune the findings you get, don't allow you not to file tickets about certain findings. It will always report the findings, even if you know you're not that concerned about a library writing to a system log, for example. It will keep raising them, even though you may have a ticket about it. The integration will keep updating the ticket every time the scan runs."

What other advice do I have?

My advice would be to definitely have some code that has a lot of security defects embedded into it and to run it through the scanner to test it early on in the process, ideally during the evaluation process. If your company works in five programming languages, you would want to create some code in each of those languages, code that has a lot of security defects, and then run the scanner over it to just make sure it can catch the security vulnerabilities you need it to catch and that it's consistent with how it raises those vulnerabilities. Veracode provides guidance for fixing vulnerabilities…
Srinivasa Rao Kuruba
Manager, Information Technology at Broadcom Corporation
Real User
Top 20
Our teams get a list of all vulnerabilities and incorporate fixes, ensuring that these issues do not happen in future code

What is our primary use case?

Veracode has both static application security testing as well as dynamic application security testing, also called Dynamic Analysis. Our primary use case was on the static analysis side, not on the dynamic, because we have an automated tool in the dynamic analysis scope. So our primary use was static analysis security testing.

Pros and Cons

  • "It is SaaS hosted. That makes it very convenient to use. There is no initial time needed to set up an application. Scanning is a matter of minutes. You just log in, create an application profile, associate a security configuration, and that's about it. It takes 10 minutes to start. The lack of initial lead time or initial overhead to get going is the primary advantage."
  • "When it comes to the speed of the pipeline scan, one of the things we have found with Veracode is that it's very fast with Java-based applications but a bit slow with C/C++ based applications. So we have implemented the pipeline scan only for Java-based applications not for the C/C++ applications."
SM
Principal for the Application Security Program and Access Control at a engineering company with 10,001+ employees
Real User
Top 20
The time savings has been tremendous, but the UI is too slow and its user experience has much to be desired

What is our primary use case?

We use it for dynamic scanning and Static Code Analysis as well as for Software Composition Analysis (SCA). We do use this solution's support for cloud-native applications.

Pros and Cons

  • "The time savings has been tremendous. We saw ROI in the first six months."
  • "There is much to be desired of UI and user experience. The UI is very slow. With every click, it just takes a lot of time for the pages to load. We have seen this consistently since getting this solution. The UI and UX are very disjointed."

What other advice do I have?

It is good for third-party scanning and if your code base is all modern web frameworks. It is also great for the third-party analysis. However, the Software Composition Analysis is not good if you have C++ code or anything legacy, as it does not cover that. It also does not cover iOS code. It has a lot of constraints. The solution’s policy reporting for ensuring compliance with industry standards and regulations is fine. We are using it for internal reporting, but we haven't really dug into the policy definitions and tweaking them. We are using its default policies. As part of our validation…
Deepak Naik
Product Owner - DevOps at Digite
Real User
Top 10
The centralized view of different testing types helps reduce our risk exposure

What is our primary use case?

We use Veracode primarily for three purposes: * Static Analysis, which is integrated into our CI/CD pipeline, using APIs. * Every release gets certified for a static code analysis and dynamic code analysis. There is a UAT server, where it gets deployed with the latest release, then we perform the dynamic code scanning on that particular URL. * Software Composition Analysis: We use this periodically to understand the software composition from an open source licensing and open source component vulnerability perspective.

Pros and Cons

  • "The centralized view of different testing types helps reduce our risk exposure. The development teams have the freedom to choose their own libraries and languages. What happens is sometimes developers feel like a particular library is okay to use, then they will start using it, developing some functionality around it. However, as per our mandate, for every new repository that gets added and scanned, a report gets published. Based on that report, we decide if we can continue. In the past, we have found, by mistake, some developers have used copyleft licenses, which are a bit risky to use. We immediately replace these with more permissive, open-source licenses, so we are safe in the end."
  • "If the dynamic scan is improved, then the speed might go up. That is somehow not happening. We have raised this concern. It might also help if they could time limit scans to 24 hours instead of letting them go for three days. Then, whatever results could be shared, even if the scan is not complete, that would definitely help us."

What other advice do I have?

I'm pretty confident about Veracode's ability to prevent vulnerable code from going into production when I'm using it. When you use Veracode, instead of using it as a manual tool, you should integrate it into your CI/CD pipeline. This way, every build is certified. Then, if there is an issue, you will know about it earlier in the development cycle, not later. Because as the time passes, it becomes more difficult to fix that issue. With Veracode's support for cloud-native applications, there are some components of our application (which are cloud-native), that we treat in the same way as…
Mauro Verderosa
Cybersecurity Expert at PSYND
Real User
Top 10
Visibility into application status across all testing types in a single dashboard helps us control everything we do

What is our primary use case?

We use both the static and the dynamic scanning. What we do is run the code through the scanner once we make any modifications. And periodically, we also run the dynamic to connect several applications. We use Veracode to check for specific vulnerabilities such as cross-site scripting. When we are checking for those vulnerabilities, we take a portion of code that is going to be generated and we run the scanner.

Pros and Cons

  • "Another feature of Veracode is that they provide e-learning, but the e-learning is not basic, rather it is quite advanced... in the e-learning you can check into best practices for developing code and how to prevent improper management of some component of the code that could lead to a vulnerability. The e-learning that Veracode provides is an extremely good tool."
  • "Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly."

What other advice do I have?

We were skeptical about running scans with a cloud-based solution, but then we saw the benefits. Everything is up to date without us having to lift a finger. We know we don't have to take care of maintenance. Also, if you work in the domain of medical devices, payment methods, or other things that are related to privacy, Veracode provides all these modules. This is a big advantage. Sometimes the scans are not done quickly, but the solutions that it provides are really good. The quality is high, but the analysis is not done extremely quickly. False positives are not a main problem. The platform…
RL
Security Architect at a financial services firm with 1,001-5,000 employees
Real User
Top 20
Effective at preventing vulnerable code from going into production, but static analysis is prone to false positives

What is our primary use case?

We use it to scan our web applications before we publish them to see if there are any security vulnerabilities. We use it for static analysis and dynamic analysis.

Pros and Cons

  • "The policy reporting for ensuring compliance with industry standards and regulations is pretty comprehensive, especially around PCI. If you do the static analysis, the dynamic analysis, and then a manual penetration test, it aggregates all of these results into one report. And then they create a PCI-specific report around it which helps to illustrate how the application adheres to different standards."
  • "The static analysis is prone to a lot of false positives. But that's how it is with most static analysis tools... Also, the static analysis can sometimes take a little while. The time that it takes to do a scan should be improved."

What other advice do I have?

If you are doing pipeline-based implementation, it would be more complex than the way that I'm doing this, but I didn't see any real challenges that would be tool-specific or vendor-specific, with implementation. Your development model will really determine what the best fit is for you in terms of licensing, because of the project-based licensing. If you do a few projects, that's more attractive. If you have a large number of developers, that would also make the product a little more attractive. But if you have maybe one or two developers doing many projects, then you might look more towards…
See 11 more Veracode Reviews